Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting domain fronting within a network, the method comprising: collecting, from a plurality of devices within the network, network data; identifying, based at least in part on the network data, data associated with one or more hosting providers of a plurality of hosting providers, the data indicating potential support of domain fronting by the one or more hosting providers; sending, to the one or more hosting providers and based on the data, one or more scans; receiving, from the one or more hosting providers, result data associated with the one or more scans, the result data comprising indications of whether the one or more hosting providers support domain fronting; and generating, based at least in part on the result data, an enhanced threat intelligence feed.
2. The method of claim 1, wherein the network data comprises domain names and IP addresses.
3. The method of claim 1, wherein identifying the data associated with the one or more hosting providers comprises passively observing the network data.
4. The method of claim 3, wherein the data comprises one or more canonical names associated with one or more domain names or IP addresses.
5. The method of claim 1, wherein the one or more scans comprise: sending, to a hosting provider, a first request comprising one or more of a first canonical name, a first domain name, or a first IP address; receiving, from the hosting provider, first result data; sending to the hosting provider, a second request comprising one or more of a second canonical name, a second domain name, or a second IP address; receiving, from the hosting provider, second result data; and determining, based at least in part on the first result data and the second result data whether the hosting provider supports domain fronting.
6. The method of claim 1, further comprising: determining, based on the result data, that a hosting provider of the one or more hosting providers supports domain fronting, wherein the enhanced intelligence feed associates a domain of the hosting provider with domain fronting.
7. The method of claim 1, wherein the enhanced threat intelligence feed comprises a list of domains that support domain fronting.
8. The method of claim 7, wherein the list further comprises one or more of: a canonical name associated with each domain; a process name or one or more hashes associated with each domain; one or more applications associated with each domain; or one or more IP subnets associated with each domain.
9. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: collecting, from a plurality of devices within a network, network data; identifying, based at least in part on the network data, data associated with one or more hosting providers of a plurality of hosting providers, the data indicating potential support of domain fronting by the one or more hosting providers; sending, to the one or more hosting providers and based on the data, one or more scans; receiving, from the one or more hosting providers, result data associated with the one or more scans, the result data comprising indications of whether domain fronting is supported by the one or more hosting providers; and generating, based at least in part on the result data, an enhanced threat intelligence feed.
10. The system of claim 9, wherein the network data comprises domain names and IP addresses.
11. The system of claim 9, wherein identifying the data associated with the one or more hosting providers comprises passively observing the network data.
12. The system of claim 10, wherein the data comprises one or more canonical names associated with one or more domain names or IP addresses.
13. The system of claim 9, wherein the one or more scans comprise: sending, to a hosting provider of the one or more hosting providers, a first request comprising one or more of a first canonical name, a first domain name, or a first IP address; receiving, from the hosting provider, first result data; sending to the hosting provider, a second request comprising one or more of a second canonical name, a second domain name, or a second IP address; receiving, from the hosting provider, second result data; and determining, based at least in part on the first result data and the second result data whether the hosting provider supports domain fronting.
14. The system of claim 9, the operations further comprising: determining, based on the result data, that a hosting provider of the one or more hosting providers supports domain fronting, wherein the enhanced intelligence feed associates a domain of the hosting provider with domain fronting.
15. The system of claim 9, wherein the enhanced threat intelligence feed comprises a list of domains that support domain fronting.
16. The system of claim 15, wherein the list further comprises one or more of: a canonical name associated with each domain; a process name or one or more hashes associated with each domain; one or more applications associated with each domain; or one or more IP subnets associated with each domain.
17. One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: collecting, from a plurality of devices within a network, network data; identifying, based at least in part on the network data, data associated with one or more hosting providers, the data indicating potential support of domain fronting by the one or more hosting providers; sending, to the one or more hosting providers and based on the data, one or more scans; receiving, from the one or more hosting providers, result data associated with the one or more scans, the result data comprising an indication of whether a respective hosting provider supports domain fronting; and generating, based at least in part on the result data, an enhanced threat intelligence feed.
18. The one or more non-transitory computer-readable media of claim 17, wherein identifying the data associated with the one or more hosting providers comprises passively observing the network data.
19. The one or more non-transitory computer-readable media of claim 17, wherein the one or more scans comprise: sending, to a hosting provider of the one or more hosting providers, a first request comprising one or more of a first canonical name, a first domain name, or a first IP address; receiving, from the hosting provider, first result data; sending to the hosting provider, a second request comprising one or more of a second canonical name, a second domain name, or a second IP address; receiving, from the hosting provider, second result data; and determining, based at least in part on the first result data and the second result data whether the hosting provider supports domain fronting.
20. The one or more non-transitory computer-readable media of claim 17, wherein the enhanced threat intelligence feed comprises a list of domains that support domain fronting, and wherein the list further comprises one or more of: a canonical name associated with each domain; a process name or one or more hashes associated with each domain; one or more applications associated with each domain; or one or more IP subnets associated with each domain.
Unknown
June 17, 2025
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.